Two critical bugs and more malicious apps make for a bad week for Android

It was a bad week for millions of
Android phone users. Two critical vulnerabilities were disclosed but
remain unpatched in a large percentage of devices, while, separately,
malicious apps were downloaded as many as 2.5 million times from
Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday.
A large percentage of Android phones, however, aren't eligible to
receive the fixes. Even those that do qualify don't receive them
immediately (the September updates are currently not available as
over-the-air downloads for either of the Nexus 5X devices in my
household). That gives attackers crude blueprints for exploiting
vulnerabilities that remain unpatched on millions of devices.

"Extremely serious bug"

The first vulnerability was disclosed by Mark
Brand, a researcher with Google's Project Zero security team. Indexed as
CVE 2016-3861, it allows attackers to execute malware or escalate local
privileges on vulnerable phones. Brand warned that it's "an extremely
serious bug" because it can be exploited in a large variety of ways. He
also said CVE 2016-3861 wasn't particularly hard to detect, a finding
that increases the chances that other researchers already knew about it.
(In any event, Brand included proof-of-concept exploit code
with his disclosure. A Google spokesman said the exploit was for
research purposes, worked only on an undisclosed subset of Nexus
devices, and "could not be used in real world attacks without
substantial modification and even further research.") Brand didn't say
exactly which Android version introduced the code-execution
vulnerability, but he indicated that it's present in at least several of
the most recent releases.

"The provided exploit performs this on several
recent Android versions for the Nexus 5x and is both reliable and fast
in my testing," he wrote in a blog post published Wednesday.
"It would also be possible to make the exploit faster by directly
generating the exploit files in javascript, reducing the unnecessary
network round-trips [spent] retrieving identical mp4 files."

The same Android update patches a separate critical vulnerability that's similar to Stagefright.
Cataloged as CVE-2016-3862, it can be exploited by sending a
maliciously formatted jpeg image. When sent through Gmail or Google
Talk, the malicious code is concealed inside Exif data embedded in the image. The target doesn't need to click on anything to become compromised.

"To an advanced attacker, this was relatively
easy to find and in their wheelhouse to exploit," Tim Strazzere,
director of mobile research at SentinelOne and the researcher who
reported the bug to Google, told Threatpost. "You would have access to
anything that app had access to or leverage another exploit to get
system privileges or root."

The vulnerabilities were made public the
same week that security firm Checkpoint disclosed that recently
discovered apps, some available since April, had been downloaded from
Google Play as many as 2.5 million times. One malware family dubbed DressCode
was likely used to generate fraudulent clicks on ads, but Checkpoint
researchers said it could also be used to breach internal networks and
retrieve sensitive files from them. DressCode was found in more than 40
Google Play apps that had been downloaded from 500,000 to 2 million
times.In a separate post published Thursday,
Checkpoint disclosed an app that contained code that redirected
infected phones to websites that generated fraudulent revenue. Known as
CallJam, the malware also included code that called fee-based premium
phone numbers, although this ability was only invoked after receiving
permission from end users. CallJam was embedded into an app called "Gems
Chest for Clash Royale," which was downloaded from 100,000 to 500,000
times. The app, as well as those containing DressCode, were removed from
Play following the posts.

Post updated on September 10 to add details in the third paragraph about the proof-of-concept exploit.

Two critical bugs and more malicious apps make for a bad week for Android
Reviewed by Chidinma C Amadi
on
10:15 PM
Rating: 5